Let me make this perfectly clear. I would never recommend that a company roll-out SIP clients (hard or soft telephones) without enacting comprehensive security policies. This applies to endpoints inside and outside the corporate network. Security is something that needs to be applied regardless of how or where users connect their devices. If a hacker can’t hack from the outside, he or she will hack from the inside.
As I have said many times before, security is not something that can be applied in only one place. An effective strategy looks at all points of entry as well as all aspects of media transmission. When it comes to SIP clients, this means everything from login to signaling to the actual conversation. Each element has its own set of requirements and security methodologies.
Today I would like to spend a little time on certificate management. I will be specific about how Avaya endpoints interact with certificates, but most of this discussion applies to products from most other vendors.
Did you read my recent article about security – A Primer on Communications Security? If so, you know that a certificate is similar to a passport. It is used to prove the identity of an IP entity or service. For example, your bank’s website uses a certificate to prove to your web browser that it really is your bank and not an impostor.
IP communications use certificates in a number of different ways. Like that bank, they are used to ensure that different services really are what they claim to be. Besides identity and authentication, they are also used for encryption.
In SIP, we deal with two forms of encryption. – signaling and media. Encryption of SIP signaling is accomplished with Transport Layer Security (TLS) and encryption of media is done with Secure Real-Time Protocol (SRTP). Used together, an enterprise can be assured that all aspects of its communication traffic remain private.
For a deeper understanding of TLS, please see my article Understanding Transport Layer Security (TLS).
This brings up two questions. First, do I need a certificate on my SIP client? The answer is “yes.” You will not be able to encrypt signaling or data without one.
Second, how do I install a certificate on a SIP client? The answer to this question depends on what kind of client you are talking about. The steps vary for physical phones, PC clients, and mobile users.
SIP Certificates on a Windows PC
Let’s begin with the Windows PC client. In my case, I have run two. The Avaya One-X Communicator has been around for a few years as an H.323 client, but more recently it was enhanced to support SIP. The latest offering from Avaya is simply called Avaya Communicator.
The best way to get a certificate onto a large number of PCs is to have your Windows administrator distribute them via Group Policy. This will automatically install the certificate on the correct PCs without any end user interaction.
If for some reason that isn’t possible, a certificate can be manually installed with the following steps:
- Obtain the certificate from the vendor.
- Start–>Run and type certmgr.msc
- From there, you can import the certificate into the correct logical stores. In the case of Avaya, these are Trusted Root Certification Authorities and Trusted Publishers.
The following is a screenshot of my Trusted Root Certification Authorities. Note the certificate named SIP Product Certificate Authority. This is the Avaya certificate used by its PC SIP clients.
If I double-click on the certificate, and select “issuer,” I see that it does indeed come from Avaya.
SIP Certificates on a Mobile Device
I also run Avaya’s One-X Mobile SIP for IOS and it too needs a certificate. Like a Windows PC, there are two different ways to install the certificate. My company uses MobileIron for managing and securing iPhones and Android smart phones. MobileIron allows an administrator to install certificates on mobile devices in the same way that a Windows administrator uses group policies.
A second option is to put the certificate on a web server and provide mobiles users with a URL to the file. The user must then click the URL from his or her device to install the certificate.
Certificates on Avaya Desk Telephones
In addition to my PC and mobile devices, I still have an old fashioned desk telephone. Of course, my 9641 runs a SIP load and it needs a certificate, too. For these types of devices, you install the certificate by setting an entry in the 46xxsettings file. Specially, you need to identify the certificate in the following section using the TRUSTCERTS variable:
################### CERTIFICATE SETTINGS #################
## Authentication Certificates
## List of trusted certificates to download to phone. This
## parameter may contain one or more certificate filenames,
## separated by commas without any intervening spaces.
## Files may contain only PEM-formatted certificates.
## SET TRUSTCERTS avayaprca.crt,sip_product_root.crt,avayacallserver.crt
After the phone downloads the 46xxsettings file, it will acquire and load the designated certificate.
I hope this helps you understand what might be an otherwise difficult subject to comprehend. As you saw, it’s not that difficult to install certificates on different device types. Doing so ensures that all your SIP conversations are safe, secure and hidden from prying eyes and ears.
Excellent article. Thanks for sharing.
Thanks for reading!
Very Informative Article, Thanks for sharing
Always enjoy reading your articles. Once again very easily explained. Thanks for the info.
Akash, thank you for reading and subscribing!
Thanks for the article, but though it is clear for me how to secure SIP communication with certificates, but I have always been wondering how to protect access to that cert. depository server that Avaya IP phones need to download them from? I mean Avaya phones need to download both private and public keys from that server. If any Avaya phone has access to them, then any other malicious user can get them too.
Hi Andrew, thanks for the article. would you happen to know where i would obtain a default certificate for 1xc to register with session manager?
You can obtain one straight from Session Manager. Launch System Manager and go to the Security tab. You have the ability to download the certificate from there.
However, that’s the old fashioned way. The better way is to create your own certificate or buy a public certificate. That’s the direction Avaya is moving.
many thanks Andrew
Glad to be of service.
good one thanks
Andrew, Thanks for an excellent article. How long do the Avaya SIP endpoints (96×1) maintain these certificates? Are they lost and need a re-download from the fileserver after they are rebooted? Are we able to load the certs once and run the phone as remote workers (via SBCE) without the need for a fileserver?